Get Started!

Xton Access Manager (XTAM) Frequently Asked Questions

 

Installation and Configuration

System Requirements

For Windows installations:
Windows Server 2008 R2+ or Windows 7+
For Unix or Linux Installations:
Red Hat, Ubuntu Server or Desktop, Debian and CentOS

Please click here for full system requirements and additional details.

What are nodes? Can you recommend a proper server configuration for my needs?

Xton Access Manager server is installed on a single or multiple physical or virtual computers and we call each of these computers a “node”. Single node setup is very easy and quick to configure; however, administrators might decide to utilize a multi-node deployment to increase performance, improve availability (in case when one of the nodes malfunctions) or improve security (to separate master password and encrypted data).

To read additional details about XTAM’s architecture, configuration and recommendations, please click here.

How do I connect to my own external database?

Xton Access Manager supports a wide range of the most popularly used databases system in the market. When configuring XTAM to use your own database, you will need to supply the database connection string. In general, the connection string will comply with the following example:

db-host or db-host:port

To view specific examples for each supported database, please review this page.

How can I configure XTAM to output to my Syslog server or appliance?

Many companies choose to centralize security and network logging to a single Syslog server or appliance to reduce the burden of log collection, investigation and reporting across many devices. While XTAM does include its own logging engine that captures and stores events, it can also be configured to output this information to your centralized syslog server.

To read how to configure this output, please review our How to Configure Syslog Output article.

I want to enable Password Reset tasks for my Azure or Office 365 accounts. What needs to be configured in Azure?

In order to rotate or reset Azure or Office 365 account passwords, you will first need to create and register an Azure Active Directory App in your Azure Portal.

Please follow the steps provided on this page to setup and configure this App in Azure and XTAM. Note that Administrator accounts are required for this procedure.

Where can I activate or register the software?

After the software has been successfully installed and the database has been initialized, it is a good next step to activate or register it. To register Xton Access Manager, please navigate to the following location:

Administration > Settings > Registration.

Enter your key in the Activation Code field, click Automatic Registration and once the key has been successfully verified click Save to complete the registration.

For a detailed walk-through of this process, including offline or manual registration, please click here.

How can I secure my client traffic to XTAM with a SSL certificate?

Xton Access Manager (XTAM) is a WEB application deployed into a WEB container that listens as a WEB Front End (WFE) for the incoming connections on the default port 8080. While this default setup is adequate for trial and moderate use of the application, the recommended configuration that opens this WEB container to the outside world involves a load balancer (reverse proxy) deployed in the front of the WFE or multiple WFEs. The reverse proxy is used to control incoming traffic, to load balance multiple XTAM WEB containers for high availability and scale ability options and also to secure the incoming traffic with a SSL certificate.

Please click here to read about how secure traffic works in XTAM and how to configure SSL during or post installation.

I am deploying a remote Session Manager component, where and how can I secure its connection with a certificate?

Xton Access Manager’s architecture allows scaling to offload components to other servers for performance, geographical or network reasons. One of these components is the Session Manager module. By deploying this component on a different server it can allow sessions to be established to computers or systems that may not otherwise be accessible.

While this allows for greater flexibility, it is important that the communication between the XTAM web and these remote Session Manager components be secured to limit their exposure. This security comes in the form of a certificate that ensures the communication cannot be intercepted.

Please click here to read about how to secure your Remote Session Manager.

Why is it so important to save my master password during installation? What would I need this for in the future?

Xton Access Manager (XTAM) encrypts sensitive data stored in the backend database using an AES-256 algorithm. This algorithm is based on the master key that XTAM uses to lock and unlock encrypted data. Without the master key nothing can decrypt sensitive data in your XTAM database.

Xton Tech Master Password Examples

Master Passwords generated and displayed during installation. Windows installation on the left and Unix on the right.

Continue reading here for additional information about the master passwords and its use.

 

General XTAM Usage

How can I save a file to a record?

Xton Access Manager’s Records can be used to securely store (encrypted) and share any file types including certificates, keys, archives and documents in its AES-256 bit protected database. This is extremely useful when needing to share file objects between trusted users while maintaining security and capturing audit events like who downloaded the file and when.

Please click here to view the steps required to create and store files within a secured Record.

I use another system to manage access, can I import their records?

To get you started using XTAM more quickly, the following import options are available to bulk create records and folders from third party systems.

1

Import from a CSV File

2

Import from a Remote Desktop Connection Manager save file (.rdg)

3

Import from an exported PuTTY file (.reg)

To import, simply navigate to the folder where you wish to have the import created, click the Import button and then select your file. Once the file is processed, your records and folders will be created and immediately available for you in the Records view.

For additional information about Importing, please review the Importing Records page.

Can I setup an approval workflow for extra security like Dual Control or Four Eyes?

Yes, XTAM provides the ability to secure user actions behind an approval workflow. Actions like unlocking a password or connecting to a remote session can be configured so that rather than a user simply accessing this functionality they would first need to be granted approval from a user(s). This provides that extra (dual) control or that extra pair of eyes (four eyes) to your privileged access management in XTAM.

To learn more about XTAM approval workflows, please start with the XTAM Request and Approval Workflows page and use the links at its bottom to read more.

If you want to jump right in, take a look at our XTAM Approval Workflow Getting Started Walk-through page.

Can I copy a file or clipboard text to or from Remote Sessions?

Yes, XTAM provides the ability to copy files and/or clipboard text between your local host computer and the remote host in your secured session. This transfer supports both Windows and Unix/Linux transfers as well.

To learn how to transfer between your local computer and your secured remote host session, please take a look at this page.

I want to receive (or stop receiving) alerts and notifications. Where is the option?

Alerts and Notifications within Xton Access Manager (XTAM) can be configured on either Records (Owners only), Folders (Owners only) or System Events (System Administrators only). These notifications will alert the user to activity that has taken place against that object within a short period of time. This is useful if a record contains a sensitive file or can establish a session to a privileged computer and you need to be aware of its activities.

Please click here to learn how to subscribe, unsubscribe and view alerts in Xton Access Manager.

How can I run a script like password reset (or a custom script) on one of my records?

Xton Access Manager provides the ability to associate and execute one or more Tasks on records. This can allow for elevated job execution by securely sharing this record (but not the password) with a user that would typically not be permitted to run such a command.

A Task is a combination of a Script (what is executed against the record) and a Policy (when it is executed against the record).

The following page walks through the steps to configure a task for your record.

How do I automatically reset my Azure or Office 365 passwords?

If Azure or Office 365 Admin accounts are shared or if they must remain secured, then it is imperative that they be stored in a secure location which provides the ability to rotate or reset the password as needed or automatically. This limits the ability of highly privileged Administrator accounts escaping the confines of your IT perimeter and being fished or social engineered by bad actors.

In the following FAQ article, we will describe the process of using Xton Access Manager to automatically rotate or reset passwords associated to Azure or Office 365 accounts. The first section will detail the configuration required for rotating the passwords for Admin accounts and the second will detail the process for non-Admin accounts.

How do I share a record or folder with someone?

When two or more users need access to a record or folder in Xton Access Manager, then the Owner of this object needs to share access to it which means to create or modify the Permissions associated to the object. When the permissions are modified and shared with a user (or group), then the Owner also needs to specify which level of control this user (or group) should have on the object.

Sharing and Permissions consists of a few key concepts; Users or Groups, Roles, Session Control and Inheritance.

The following page walks through these concepts as well as the steps needed to share or modify permissions on a Record or Folder.

Can I open my Sessions in a full browser screen instead of a smaller window?

Yes, XTAM secure remote sessions can be set to either open in a full screen browser view or a smaller, windowed view. If you are a XTAM Administrator, this can be set on a Global level or if you are an XTAM non-Administrator, then you can set your personal preference for your own sessions.

The following page describes how to configure both options.

How can I check and update the software to the latest version?

The development of Xton Access Manager follows an Agile development process which means a fast paced and frequent software release cycle. Due to this, the software provides an easy method to check for and ultimately deploy the latest version.

To update XTAM, please review the procedure detailed here.

How do I login and logout properly?

Users who have been granted permission or access to at least object will be able to login to Xton Access Manager using their appropriate account and password.

To login to Xton Access Manager:

1

Open your browser to the Xton Access Manager’s login page. The default is http://localhost:8080/xtam

2

When prompted, enter your account name and its password. Click the Login button to continue.

3

Upon successful login, you will be directed to the XTAM home page. If unsuccessful, please try again.

To logout of Xton Access Manager:

1

Locate and click the Logout button in the application’s top right bar.

2

For security reasons, please close your web browser after you completed the logout operation.

 

Common Questions

What levels of Permissions are available in XTAM?

Xton Access Manager provides a robust set of permissions that can be granted to users or groups (Principals) in order to control the level of access they have to objects and areas of the software.

Note that permissions in XTAM are additive, meaning that a higher level of permission includes all the roles of a lesser, and permissions can be inherited via folders.

Here is a list of available permissions and roles in XTAM.

What is the Auditor role and what does it permit?

XTAM now includes an additional Global Role named “Auditor”. This Auditor role allows for a Compliance Officer or Auditor to review and monitor the XTAM system and its records without having direct permissions to each object or exposing secrets and compromising security. Xton Access Manager Auditor Role

A user that has been granted this “Auditor” role:

  • Can View all records and folders. This includes Name, Description as well as any other record fields (except secured fields).
  • Can review Record Properties including Type, Created By and Last Modified By parameters.
  • Can access the Audit Log associated to records as well as the XTAM system.
  • Can access the Session History associated to records as well as the XTAM system.
  • Can access the Job History associated to records as well as the XTAM system.
  • Can access the Workflows associated to records as well as the XTAM system.
  • Can access the XTAM system Reports.

A user that has been granted this “Auditor” role:

  • Cannot “Unlock” or download secrets, passwords, certificates or any other object associated to a secured field.
  • Cannot Connect, Join or Terminate active sessions.
  • Cannot review a record’s Change History.
  • Cannot execute jobs, scripts or password reset tasks.
  • Cannot Create, Edit or Delete a folder or record.
  • Cannot Create, Edit or Delete a workflow, template, binding or grant approval.
  • Cannot modify Formulas, Tasks or Permissions of a record or folder.
  • Cannot reorganize folders or records using the Cut, Copy or Paste commands.

Please note that if a user or group is assigned the Auditor role plus additional permissions to a folder or record, the privileges associated to the folder or record will take precedence over that of the global Auditor role.

Are keystrokes or clipboard text recorded in XTAM remote sessions?

Yes, both keystroke and clipboard text are recorded in all Xton Access Manager remote sessions (video can optionally be recorded too!).

Please read our Remote Session Keystroke and Clipboard Recording page for more information.

What are Record Types?

Xton Access Manager provides a variety of out of the box Record Types to assist in creating, organizing, connecting and establishing inheritance (parent/child relationship) of strategies within your records and secrets. The following FAQ article will list and define each of the available Records Types in XTAM. Xton Access Manager Add Record - Record Types

Custom record types can also be created by System Administrators.

Please click here to read the full list of currently available out of the box Record Types in XTAM, a description of each and which fields are available.

What is a Reference Record?

A reference record is a record that is used in multiple other records so that parameters (User, Password, Certificate or Passphrase) can be shared. For example, you could create an Active Directory account record and rather than re-entering the same user, password, certificate or passphrase into multiple other records, you could simply point to this AD account as a reference and the system will auto-populate and maintain these parameters. The system will then “reference”, instead of storing a copy, this original record when needing to access the shared credentials.

To learn more and to see a quick example, please read our Reference Record page.

What is a Shadow Account?

A Shadow Account is a secondary account used to connect to the remote computer on behalf of the primary record account to perform the designated tasks.

Normally the record account is used to connect to the remote computer to execute scripts. When a shadow account is specified for the task the script is executed under the shadow account privileges although it still has access to the main record account.

To learn more about Shadow Accounts, please read our Shadow Account page.

I executed a Task and it failed with an Error response message or code. Where can I find more information to help troubleshoot this error?

Occassionally, a Task or Script will fail to execute for a number of reasons. The following Job Detail Error Response page will attempt to detail a variety of potential issues related to Job Errors and provide a few troubleshooting steps.

If your error message or code is not listed or the recommended steps did not resolve your error, please contact Support for additional assistance.

Does XTAM have REST APIs that can be called by external scripts, applications or third party products?

Yes! XTAM has a full library of REST APIs that can be called by external scripts, applications and third party products.

For a list of API examples called via PowerShell scripts, see here.

For a list of API examples called via Shell scripts, see here.

If you have a specific question or don’t see an API listed, please contact our Support Team for further assistance.

I can't connect to a session and the process is stuck on Connecting to Session Manager. What should I do?

If a user attempts to establish a session and the browser displays the message “Connecting to Session Manager”, but it does not connect to the host, then please try the following suggestions.

I need help. How do I contact support?

If you reviewed all the documentation and FAQs and are still having issues, or if you just want to speak with our support team, please contact us and we will be happy to assist.

When contacting us for support, please be prepared to

  • Demonstrate the issue on a screen sharing session or describe to us how it can be reproduced
  • Provide screenshots illustrating the issue
  • Recreate, generate and share the application’s log files so the issue can be further diagnosed.
 

Multi-factor Authentication

Duo Security MFA - How to Configure (Admin)

Xton Access Manager (XTAM) supports multi-factor authentication by integrating with Duo. If you already use Duo MFA or would like to start using it with XTAM, please contact us at support@xtontech.com for configuration assistance.

Duo Security MFA - How to Login (Users)

The experience for users who must use Duo MFA to login is slightly different than the traditional style of username and password entry that they are probably accustomed to. Although not drastically different, the following procedure must be performed by every user whose account is configured to use Duo MFA in XTAM.

As an XTAM admin, please become comfortable with this initial registration process as user questions may arise. The following page details how an end user will login using Duo MFA the first time to register their device and the process for each subsequent login. Logging in to Xton Access Manager with Duo Multi-Factor Authentication.

Google Authenticator - How to Configure (Admin)

Xton Access Manager (XTAM) supports multi-factor authentication by integrating with Google Authentication. If you already use Google MFA or would like to start using it with XTAM, please contact us at support@xtontech.com for configuration assistance.

Google Authenticator - How to Login (Users)

The experience for users who must use Google MFA to login is slightly different than the traditional style of username and password entry that they are probably accustomed to. Although not drastically different, the following procedure must be performed by every user whose account is configured to use Google MFA in XTAM.

As an XTAM admin, please become comfortable with this initial registration process as user questions may arise. The following page details how an end user will login using Google MFA the first time to register their mobile device and the process for each subsequent login. Logging in to Xton Access Manager with Google Multi-Factor Authentication.

 

Xton Access Manager Browser Extension

What is the Xton Access Manager Browser Extension

The Xton Access Manager Extension is a native browser extension that can be utilized by XTAM users to auto-populate Web login forms using records that are stored within the Xton Access Manager Identity Vault. Once logged into XTAM within the browser extension, it will securely communicate with the Identity Vault to locate any records associated to the currently displayed login form and if found, will give the user the ability to populate the username and password fields with a single click.

Continue reading about the Xton Access Manager Extension here.

How can I use the Extension in my browser?

The Xton Access Manager Extension is designed to be simple to deploy and simply to use. The following How To page will describe the process to deploy the extension to your browser to using it for the first time.

The records that appear in the Extension, where do they come from?

The Extension reads and displays records that are stored in XTAM sever’s 256-bit encrypted Identity Vault. Based on the stored records and its associated permissions, the extension determines when and to whom it will allow access to the record.

To learn more about this, please read the following page.

Can the browser extension display records for users with Viewer only permission?

Within XTAM, a user is required to have at least Unlock permissions on a record to see or reveal its secured field, like a password. By default, the XTAM Browser Extension uses this same requirement; however System Administrators can lower or decrease this requirement to allow users with Viewer permissions to load shared credentials from within the extension. This maintains the security around these fields in XTAM, while extending the functionality of loading login forms to more users.

While our default and recommended setting remains set to Unlock, if your organization fully secures the user browser and endpoints with sufficient enterprise policies, you may now update this requirement to support your use case.

To change the minimum permission level for the XTAM browser extension plugin, please perform the procedure detailed on this page.

My input fields are not auto-populating. How can I resolve this?

The Extension attempts to automatically read and detect input fields of various web configurations, but sometimes it does not always detect fields with alternative configurations. If the Extension is not detecting your user or password field on your web login page, the following FAQ page will detail some steps to resolve this behavior.

Which browsers are supported?

The Xton Access Manager Extension supports the latest version of the following desktop browsers:

  • Google Chrome
  • Microsoft Edge (coming soon)
  • Mozilla Firefox
  • Opera

Does the Extension work in Opera?

The Xton Access Manager Extension is supported as an extension for the Opera browser; however, it is not available within the Opera Extension marketplace.

If you are an Opera user, the following page will detail the process to deploy the Chrome Extension to your Opera browser.

Xton Access Manager Extension Opera Install Complete

The Xton Access Manager Extension is installed to Opera and ready for use.

 

 
 
 
 

Still can’t find what you are looking for? Send us an email and we will be happy to help!
 
 

Copyright © 2017 Xton Technologies, LLC. All rights reserved.